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Team 


SEI  team  members 

•  Dr.  Bill  Claycomb  (Co-PI) 

•Andy  Moore  (Co-PI) 

•  Dr.  Jason  Clark 

•  Matt  Collins 

•  Dr.  Jen  Cowley 

•  Bill  Novak 

•  Dr.  Bronwyn  Woods 

Engaged  Stakeholders 

•  Two  engaged  USG  partners 
-  data  and  piloting 


Collaborators 
•  CMU-CS  (FY14-15) 
-Prof.  Kathleen  Carley 
-Neal  Altman  (staff) 
-Jeff  Reminga  (staff) 
-Geoff  Morgan  (student) 
-Matt  Benigni  (student) 
•UC-Davis  (FY15) 

-Prof.  Sean  Peisert 
-Julie  B.  Ard  (student) 
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Project  Framing 


Objective:  Develop  scientifically  and  operationally  validated 

insider  threat  indicators 

•  Need:  DoD/Gov’t  agencies,  contractors  struggling  to  build  mandated  Insider 
Threat  Programs,  per  Executive  Order  13587 

•  Challenges:  -  Attacks  are  costly  but  relatively  infrequent 

-  Malicious  and  benign  behaviors  difficult  to  distinguish 

FY14  Focus:  Dynamic  analysis  of  social  networks  of  convicted  spies 
BUT  Insiders  are  not  top  actors  -  changes  in  relationships  are  key 

•  Hypothesis:  Overtime,  insider  social  networks  exhibit  weakening  of  internal 
connections,  AND  the  strengthening  of  external  connections  to  adversaries 

•  Data:  -140  insider  espionage  incidents  -  from  court  records,  media  reports 

•  Data  Analysis  method:  Measure  connection  strength  overtime  between 
insider  and  family/coworkers/adversaries  (ORA  toolset) 

•  Connection  strength  measures:  communication  frequency,  reciprocity,  time 
spent,  volume,  affect,  truthfulness  (in  order  of  ease/integrity  of  measurement) 
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Context  for  Understanding  Insider  Behavior  * 


The  Insider  Cyber  Espionage/Sabotage  Problem 


US/DOD  Group  Interests 
National  Security  Interests 


Competing  Group  Interests 
Insider  Self-Interest 
Foreign  National  Interests 
Ideological  Interests 
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*  Adapted  from  Bruce 
Schneier-  “Liars  and 
Outliers,"  201 2. 
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Preliminary  Observations  from  Incident  Data 


Broadly  specified  social  networks  of  -140  insider  spies 

•  Showed  increasing  reliance  on  electronic  means  of  illicit  transfer/comms 

Elaborated  the  time  series  of  two  incidents 

•  John  Walker  (and  Walker  spy  ring) 

•  Private  Bradley  Manning  (Wikileaks) 

Hypothesis  supported  but  situation  more  complex  than  framed 

•  Internal  connections  may  weaken  or  strengthen  overtime 

•  Insider  starts  connecting  more  individuals  overtime  (betweenness  measure) 

•  Decrease  in  ratio  of  internal  connections  to  external  connections 

•  Excluding  ring  members,  networks  grow  larger  but  less  densely  connecting 

Gain  confidence  in  significance  as  we  compare  findings  with  baseline 
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Value 


Increasing  betweenness  during  spy  activities  - 
insider  starts  connecting  more  individuals 

Come  to  poster  session  to  see  detailed  results  and  talk  with  analysts! 


Walker  Case 


Manning  Case 


Jerry  Whitworth  -+■  Michael  Walker  Arthur  Walker  John  Walker  | 


Manning  specific  2000  Manning  specific  2003  Manning  specific  2006  Manning  specific  2009 

Period 


*■  Bradley Manning  Julian Assange 
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Theory  Building:  Social  Capital  Growth/Transfer 


insider  fin  an  cial 
incentive 


*  Adapted  from  Dudley’s  “The  Dynamic  Structure  of  Social  Capital:  How  Interpersonal  Connections 
Create  Communitywide  Benefits,”  22nd  Conf.  of  the  System  Dynamics  Society,  2004. 
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New  Work  with  UC-Davis  in  FY15 


Sociotechnical  network  (STN)  =  social  network  +  info  flow  network 
Key  Ideas 

•  Combine  analysis  of  information  flow  networks  with  social  network  analysis 

-  earlier  detection  with  lower  false  positive  rates 

•  Focus  not  on  insider  access  rights 

-  but  movement  and  trajectory  of  info  flow 

Compare  baseline  document  flows  with  actuals  (Gemini  tool)* 

•  Identify  document  (expected)  workflows  as  baseline  (up  front) 

•  Compare  actual  document  flows  with  expected;  identify  anomalies  (real  time) 

•  Requires  comparing  documents  to  documents  and  flows  to  flows 

•  Proposed  Measures 

-  Document  Similarity ;  hashing,  plagiarism  detection,  keyword  matching 

-  Flow  Similarity ;  graph  matching  algorithms  -  eg,  using  GED  measures 

•  Ard,  et.al.,  “Information  Behaving  Badly,”  NSPW  l13 
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Plans 

Scientific  and  Operational  Validation 


Data 

Set 

Method 

CERT 

Incident  DB 
(Open  Src) 

SEI  Emails 
(Anonymized) 

Enron  Emails 
(Public) 

Partner  Data 
(Operational) 

Insider  Social 
Net  Analysis 

FY14 

FY14/15 

FY14/15 

FY15 

Info  Flow  Net 
Analysis 

FY15 

FY15 

FY15 

FY15/16 

Theory  Building 

•  Ground  System  Dynamics  Model  in  insider  threat  risk  measures  based  on 
sociotechnical  net  properties 

Transition 

•  Developing  Special  Issue  of  Journal  “Computational  and  Mathematical 
Organization  Theory”  based  on  Insider  Threat  ModSim  Workshop  (7/2014) 

•  Apply  approaches  in  projects  to  develop  DOD  insider  threat  architectures 
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Publications  -  Pattern  Language  as  a  Transition  Vehicle 


Research  results  will  continue  to  ground  insider  threat  mitigation  patterns 

•  24  patterns  identified,  6  analyzed,  with  7  ACM/IEEE  papers  published 

•  Threat  models  published  in  book:  CERT  Guide  to  Insider  Threats  (2012) 

•  Pattern-Based  Design  of  Insider  Threat  Programs:  Forthcoming 


Getting  the 
Right  Workforce 


Creating  the  Right 
Workforce  Culture 


Capability 

Development 

Scenarios: 

Mitigating  Telework 
Abuse 
Mitigating 
Disgruntlement  at 
Negative  Workplace 
Events 

Mitigating  Theft  of  IP  at 
Departure 


Managing  Employees 
Properly 


Cutting  Employee 
Ties  When  Appropriate 


To  observe  negal 
events  that 
spur  disgru/tlement 

Idenyfy  Concerning 
NegativeUA/orkplace  Events 


To  observe 
suspicious  acts 


Increase  Moni 
Indications  of  Dli 


To  respond 
appropriately 


Handle  Suspi 
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Contact  Information  Slide  Format 


Presenter  /  Point  of  Contact 

Andrew  P.  Moore 
CERT  Program 
Telephone:  +1  412-268-5465 
Email:  apm@cert.org 


Web 

www.sei.cmu.edu 

www.sei.cmu.edu/contact.cfm 

www.cert.org/insider-threat/ 


U.S.  Mail 

Software  Engineering  Institute 
Customer  Relations 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-2612 
USA 

Customer  Relations 

Email:  info@sei.cmu.edu 
Telephone:  +1  412-268-5800 

SEI  Phone:  +1  412-268-5800 

SEI  Fax:  +1  412-268-6257 
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